Back to Google Professional Cloud Architect questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Google Professional Cloud Architect practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
PCA
exam code
Google Cloud
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related PCA topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Full question →

A startup uses Cloud Functions with a Pub/Sub trigger to process incoming orders. They notice that the function sometimes fails to process messages, and those messages are lost. What is the most likely cause?

Question 2hardmultiple choice
Full question →

The exhibit shows a command to create a Compute Engine instance. The instance is intended to run a web server that needs to access Cloud Storage buckets using its service account. However, the web server fails to read from a storage bucket. What is the most likely cause?

Exhibit

Refer to the exhibit.

gcloud compute instances create my-instance \
    --zone=us-central1-a \
    --machine-type=n1-standard-4 \
    --image-family=ubuntu-2004-lts \
    --image-project=ubuntu-os-cloud \
    --boot-disk-size=50GB \
    --boot-disk-type=pd-ssd \
    --scopes=cloud-platform \
    --service-account=my-sa@project.iam.gserviceaccount.com \
    --tags=http-server,https-server
Question 3easymultiple choice
Full question →

An application running on Compute Engine instances behind a load balancer experiences intermittent failures. Health checks show instances passing, but some users get errors. What should be the first troubleshooting step?

Question 4easymultiple choice
Full question →

A developer runs the command above and sees the output. The cluster has one node pool with 3 nodes, each of type e2-standard-4 (4 vCPU, 16 GB RAM). The application requires at least 2 GB of memory per pod and the cluster has 10 pods that need to be scheduled. The developer also notices that the node pool autoscaling is enabled with a minimum of 1 and maximum of 5 nodes. However, the cluster is unable to schedule all pods. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
$ gcloud container clusters describe my-cluster --zone us-central1-a --format 'table(name, nodeConfig.machineType, nodePools[].initialNodeCount, nodePools[].config.machineType)'
NAME: my-cluster
MASTER_VERSION: 1.28.5-gke.2000
NODE_CONFIG_MACHINE_TYPE: e2-standard-4
NODE_POOLS: [0].initialNodeCount: 3
NODE_POOLS: [0].config.machineType: e2-standard-4
```
Question 5mediummulti select
Full question →

An organization wants to monitor network traffic between VMs in a VPC for troubleshooting. Which TWO services can provide this?

Question 6easymultiple choice
Full question →

Refer to the exhibit. A user (ops@example.com) is unable to create a new VPC network in the project. What should the administrator verify first?

Exhibit

{
  "bindings": [
    {
      "role": "roles/compute.viewer",
      "members": [
        "user:ops@example.com"
      ]
    }
  ]
}
Question 7hardmultiple choice
Read the full NAT/PAT explanation →

A company uses Cloud NAT to allow private instances to access the internet. They notice intermittent connectivity issues. What should they check first?

Question 8mediummultiple choice
Full question →

Refer to the exhibit. A user alice@example.com is unable to list objects in bucket 'bucket-b'. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "bindings": [
    {
      "role": "roles/storage.objectViewer",
      "members": ["user:alice@example.com"],
      "condition": {
        "title": "only_bucket_a",
        "expression": "resource.name.startsWith('projects/_/buckets/bucket-a/')"
      }
    }
  ]
}
```
Question 9hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation has deployed a web application across multiple Google Cloud regions using an external HTTPS load balancer with backend services in each region. They recently added a new region (asia-southeast1) and updated the load balancer configuration. After the update, some users in that region report high latency and occasional connection timeouts when accessing the application. The load balancer health checks show all backends as healthy. The network team confirms that the backend instances in asia-southeast1 are correctly configured and can be accessed directly via their external IPs. What should the architects investigate next?

Question 10mediummultiple choice
Full question →

A Cloud Function fails to connect to a Cloud SQL instance. The Cloud SQL instance has a private IP. What should the developer check?

Question 11hardmulti select
Full question →

A company has set up an external HTTP(S) load balancer with a backend service pointing to a managed instance group. Some instances are failing health checks. Which TWO actions should the company take to troubleshoot the issue?

Question 12hardmultiple choice
Review the full subnetting walkthrough →

A company runs multiple microservices on Cloud Run. Each service uses a Serverless VPC Access connector to connect to a shared Cloud Memorystore for Redis instance (standard tier) in a VPC network. The Redis instance is configured with a firewall rule that allows TCP connections on port 6379 from the VPC connector's subnet (10.8.0.0/28). After a recent code update, the order-service fails to connect to Redis, while the user-service continues to work. The error logs in order-service show 'connection refused'. The engineer verifies that both services use the same VPC connector, the same Redis instance IP, and the same service account. The VPC connector's metrics show no errors. What is the most likely cause?

Question 13mediummultiple choice
Review the full subnetting walkthrough →

An organization has two Google Cloud projects: Project A hosts a Compute Engine instance with a MySQL database, and Project B hosts an application that needs to connect to the database. The network team set up VPC peering between the two VPCs. The application cannot connect to the database on port 3306. The database instance has a private IP. The network team has verified that firewall rules in both VPCs allow traffic from Project B's subnets to the database IP on port 3306. Ping from the application instance to the database IP succeeds. What should the architect do to resolve the connectivity issue?

Question 14hardmultiple choice
Full question →

A company runs a critical web application behind an external HTTPS load balancer. The backend consists of a managed instance group of Compute Engine instances. Users report intermittent 502 Bad Gateway errors. The load balancer logs show occasional health check failures for some instances. The instances have a custom health check endpoint that returns a 200 status code only if the application is fully healthy. The application logs do not show any errors, and CPU/memory usage on the instances is normal. What should be the first troubleshooting step to identify the root cause?

Question 15mediummultiple choice
Read the full NAT/PAT explanation →

A startup is deploying a microservices application on Google Kubernetes Engine (GKE) with a regional cluster. They have services that need to communicate with each other and also with external APIs. The cluster uses VPC-native routing. They have enabled Cloud NAT to allow outbound internet access for nodes without external IPs. However, the development team reports that some pods cannot reach the external APIs, while others can. All pods are in the same namespace and are not using any network policies. The pods that fail have the annotation 'cloud.google.com/gke-nat-ips' set to a list of static IP addresses. The pods that work do not have this annotation. What is the most likely cause of the failure?

These PCA practice questions are part of Courseiva's free Google Cloud certification practice question bank. Courseiva provides original exam-style PCA questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.